Summary
Bumblebee is a highly sophisticated downloader malware cybercriminals use to gain access to corporate networks and deliver other payloads such as Cobalt Strike beacons and ransomware. The Google Threat Analysis Group first discovered the malware in March 2022 and named it Bumblebee based on a User-Agent string it used.
The Netskope Threat Labs team discovered what seems to be a new infection chain leading to Bumblebee malware infection, and our findings corroborate those shared by other researchers.
In this blog post, we will analyze all the files involved in the chain until the execution of the Bumblebee payload.
Key findings
- This is the first occurrence of a Bumblebee campaign we have seen since Operation Endgame, an operation performed by Europol in May 2024 to disrupt the major malware botnets, such as Bumblebee, IcedID, and Pikabot.
- The infection chain used to deliver the final payload is not new, but this is the first time we have seen it being used by Bumblebee.
- These activities might indicate the resurfacing of Bumblebee in the threat landscape.
Initial infection
The infection likely starts via a phishing email luring the victim to download a ZIP file and extract and execute the file inside it. Th